Let's use pydbg, a debugger
module that was developed to take advantage of the Win32 API. To properly
utilize the pydbg module, the basic concept of a debugger must be understood.
1. Concept of a Debugger
A debugger is a kind of
interrupt subroutine that temporarily stops the operation of the process that
is being performed. When the debugger execution is completed, the process logic
will continue. The debugger sets the breakpoint in the instruction that you
want to debug and continuously monitors the occurrence of an event. When the
operating system detects a break point while processing an instruction, it calls
the callback function that is specified.
4-1 Concept of a Debugger
Hackers normally
place the hacking script inside the callback function
when hacking with the debugger. Typically the
API Hooking technology is used, and when the program calls a function
to store the data, if the value in memory changes, the data stored in the file
can be manipulated.
Let’s take a
brief look at how the debugger works. For
each stage, it is possible to use the Win32 API.
It is possible to call the Win32 API by using the ctypes module in Python.
Moreover, Python can use the pydbg module and can more easily provide debugging.
4-2 Debugger Operation Procedure
For
(1), (2), (3), (4), (5), (7), the programmer directly implements using pydbg.
For (6), (8), the operating system performs operations based on the information
that programmer has registered.
(1) Getting
the PID: The running process has its own ID (PID, Process ID), which is an
identification number that is assigned to each process by the OS. The Win32 API
can be used to obtain the PID of the process that you want to debug.
(2) Getting
Instruction Address: Check all lists of the modules that are mapped into
the process’s address space to obtain the address of the function in order to
try to set the breakpoint.
(3) Setting the Breakpoint: Set a breakpoint by
replacing the first two bytes of the instruction code with “CC”. The debugger
saves the original instructioin code into the breakpoint list that is managed
internally. Therefore, there is no problem in returning to the original process.
(4) Registering Callback Function: When the
process executes the instruction that the breakpoint has set, a debug event
occurs. The operating system then generates an interrupt and starts to perform
an interrupt subroutine. The interrupt subroutine is the callback function that
the programmer has previously registered.
(5) Waiting for the Debug Event: The
Win32 API is used for the debugger to indefinitely wait for the debug event to
occur and to call the callback function.
(6) Debug Event Occurs: When the debug process
finds a break point during execution, an interrupt is generated.
(7) Executing the Callback Function: The
interrupt subroutine is executed when the interrupt occurs. Previously the
registered callback function corresponded to the interrupt subroutine, and the
hacking code was planted to the callback function, which makes it possible to
perform the desired behavior.
(8) Returning to
the Original Process: If a
callback function is finished, the program will return to the normal process
flow. The Windows operating system supports the Win32 API at each stage, and it
is possible to call it by using the ctypes, as described above. Pydbg is then
used to call the Win32 APIs as well. Let's examine the basic concept of hacking
by installing the pydbg module that simplifies complicated procedures.
2. Installation of the Pydbg Module
In order to hack the Windows
applications with Python, you should take advantage of the window functions in
the Windows DLL. Python natively supports an FFI (Foreign Function Interface)
package called ctypes, through which it is possible to use a DLL and the data
type of the C language. Also ctypes can be used to implement the extension
module only with pure Python code. However, in order to use the Windows DLL
using the ctypes directly, it is necessary to gather a great amount of
knowledge of the window function. For example, you must declare the structure
and the union to call the function, and you need to implement a callback
function. Therefore, rather than using ctypes directly, it is preferable to
install the Python modules that have been developed in advance.
The start hacking with
Python, you can install a Third Party Library. First, the PyDbg module is
installed as an open source Python debugger, and it is often used in
applications for hacking and reverse engineering. Let's create a simple test
code. PyDbg is a sub-module of the PaiMei framework that was introduced by
Pedram Amini in RECON2006. PaiMei is composed of three core components, including
PyDbg, pGRAPH, PIDA and three extended components such as Utilities, Console,
and Scripts. PaiMei is also a framework that was developed by using pure Python.
PyDbg, which supports powerful debugging capabilities, can implement a user
defined function through a callback function extension.
To
install the program, download the installation file “PaiMei-1.1-REV122.zip”
from the open-source site
“http://www.openrce.org/downloads/details/208/PaiMei”.
4-3 www.openrce.org
You
can easily install it by unzipping the downloaded file and clicking on the
executable file.
4-4 Installation File
PaiMei
requires a little bit of extra work to maintain compatibility with Python
2.7.x. Open the “__init__.py” file in the “Python directory\Lib\ctypes” folder
and then add the following two lines of code.
######################################################
# This file
should be kept compatible with Python 2.3, see PEP 291. #
######################################################
"""create and manipulate C data types in
Python"""
import os as _os, sys as _sys
__version__ = "1.1.0"
from _ctypes import Union,
Structure, Array
from _ctypes import _Pointer
from _ctypes import CFuncPtr as
_CFuncPtr
from _ctypes import __version__
as _ctypes_version
from _ctypes import RTLD_LOCAL,
RTLD_GLOBAL
from _ctypes import
ArgumentError
from _ctypes import Structure
as _ctypesStructure #add for
paimei
from struct import calcsize as
_calcsize
class Structure(_ctypesStructure): pass #add for
paimei
if __version__ !=
_ctypes_version:
raise Exception("Version
number mismatch", __version__, _ctypes_version)
|
Download
the pydasm.pyd file that has been re-built for Python version 2.7.x, and copy
it to the “Python directory\Lib\site-packages\pydbg” folder. The pydasm.pyd
file can be easily found on the Internet, and if the message “hello pydbg” is printed,
installation can be determined to have been successful.
import pydbg
print "hello
pydbg"
>>>
hello
pydbg
|
Pydbg
can be used to easily implement various hacking techniques including Key
Logging and API Hooking.
3. API Hooking
API
Hooking is a hacking technique that steals an API call during normal operation.
A simple API Hooking program can be build using the functionality provided by Pydbg.
4-7 API Hooking
API
Hooking can be used to store data in the Notepad program. Let’s make a program
that swaps out the user-created content. When you click the "Save"
button to create a Notepad file, the content changes. In this case, the user wrote
“love” in Notepad, but “hate” is stored in the file.
The APIHooking.py program is used to learn about the API hooking
technique through Pydbg. The Pydbg
module is internally implemented with the ctype that calls the Win32
API. A programmer can easily use functions provided by Pydbg.
Import utils, sys
from pydbg import *
from pydbg.defines import *
‘’’
BOOL WINAPI WriteFile(
_In_ HANDLE hFile,
_In_ LPCVOID lpBuffer,
_In_ DWORD nNumberOfBytesToWrite,
_Out_opt_ LPDWORD lpNumberOfBytesWritten,
_Inout_opt_ LPOVERLAPPED
lpOverlapped
);
‘’’
dbg = pydbg()
isProcess = False
orgPattern = "love"
repPattern = "hate"
processName = "notepad.exe"
def replaceString(dbg, args): #(1)
buffer =
dbg.read_process_memory(args[1], args[2]) #(2)
if orgPattern in buffer: #(3)
print "[APIHooking]
Before : %s" % buffer
buffer = buffer.replace(orgPattern,
repPattern) #(4)
replace =
dbg.write_process_memory(args[1], buffer) #(5)
print "[APIHooking]
After : %s" % dbg.read_process_memory(args[1], args[2])
return
DBG_CONTINUE
for(pid, name) in
dbg.enumerate_processes(): #(6)
if
name.lower() == processName :
isProcess
= True
hooks =
utils.hook_container()
dbg.attach(pid) #(7)
print "Saves
a process handle in self.h_process of pid[%d]" % pid
hookAddress = dbg.func_resolve_debuggee("kernel32.dll", "WriteFile") #(8)
if
hookAddress:
hooks.add(dbg, hookAddress, 5, replaceString,
None) #(9)
print "sets a
breakpoint at the designated address : 0x%08x" % hookAddress
break
else:
print "[Error]
: couldn't resolve hook address"
sys.exit(-1)
if isProcess:
print "waiting
for occurring debugger event"
dbg.run() #(10)
else:
print "[Error]
: There in no process [%s]" % ProcessName
sys.exit(-1)
|
(1) Callback Function Declaration: Declare the callback
function that is to be called when a Debug Event occurs. The hooking code is inside
of this function.
(2) Reading Memory Value: Read a certain length of data
in a specified address. This value is stored in memory and is written to a
file. (kernel32.ReadProcessMemory)
(3) Checking Pattern in Memory Value: Check the desired pattern that
is to be changed in the memory value
(4) Changing of the Value: The hacker changes the
value when the desired pattern is detected.
(5) Writing Memory Value: Save the changed value in
memory. "love" has been changed to "hate" in memory.
(kernel32.WriteProcessMemory)
(6) Getting Process ID List: Get a list of all the
Process IDs running on the Windows operating system.
(kernel32.CreateToolhelp32Snapshot)
(7) Obtaining Process Handle: Get a handle and store it
in the class. The operating system provides a process with a handle to use
resources. (kernel32.OpenProcess, kernel32.DebugActiveProcess)
(8) Obtaining the Address of the Function
to Install a Breakpoint: Use the handle to investigate the value of the
memory of the process. Locate the Win32 API function returns the address you
want
(9) Set Breakpoint: Set a breakpoint in the
target function and register a callback function to handle when a debug event
occurs.
(10) Starting Debug:
waiting for a debug event in an endless loop, if the Event has occurred, call
the callback function.
It is a simple example, but
if you expand the callback function, it can be used in a variety of fields. If you
set a breakpoint on a function in particular to process the input data, the
callback function stores the password in a separate file, and another hacking
program can send the file to a third site.
TIP
|
• Handle
If you want to handle the resources with the
Win32 API on a Windows operating system, first, you should know the handle
pointing to the physical address of that resource. The physical address where
the resource is located may vary according to the time, and it is possible to
conveniently use Windows resources through an intermediate medium handle.
|
The result of the program is as
follows.
4-9 Results for APIHooking.py
No comments:
Post a Comment